sfw/fix
NXDOMAIN medium

NXDOMAIN (Non-Existent Domain)

An authoritative nameserver confirms the queried name simply does not exist in its zone.

What you see

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9027
;; AUTHORITY SECTION:
example.com. 3600 IN SOA ns1.example.com. ...

What’s actually happening

This is a definitive negative answer, not a failure: the authoritative server returned RCODE 3, meaning the name has no records of any type. dig shows status: NXDOMAIN with an empty answer section and an SOA in the authority section. It resolves the same way from every resolver (because the answer is authoritative), which distinguishes it from SERVFAIL. Chrome renders it as DNS_PROBE_FINISHED_NXDOMAIN.

Common causes

  • The record was never created, or was deleted — there's genuinely nothing to return for that name.
  • Typo'd or wrong subdomain (e.g. querying ftp.example.com when only www exists).
  • Domain registration expired, so the registry pulled the delegation and the name resolves to nothing.
  • A DNS change hasn't propagated yet and an old resolver cached the pre-existing negative answer (negative caching, governed by the SOA minimum TTL).
  • Wrong zone/apex assumption — the name lives under a different parent than you think.

How to fix it

  1. Verify the exact name against authoritative DNSdig +short example.com and the specific label you need, e.g. dig +short api.example.com. If it's NXDOMAIN, query the authoritative server straight: dig @ns1.example.com api.example.com to confirm the record really is absent at the source.
  2. Create the missing recordAdd the A/AAAA (or CNAME) record for the exact hostname at your DNS provider. Match the label precisely — api vs www vs apex are different names.
  3. Wait out negative caching after adding itIf the name returned NXDOMAIN before you created it, resolvers cached that negative for the SOA minimum TTL. Check it with dig example.com SOA (last field) and wait that long, or test against a resolver that never cached it (dig @8.8.8.8 ...).
  4. Check the registrationwhois example.com — if it's expired or 'pendingDelete', the whole domain returns NXDOMAIN regardless of your zone records. Renew it and the delegation comes back.
  5. Confirm you're querying the right zoneFor deep names, make sure the parent zone delegates the subdomain you expect. dig example.com NS shows where the apex is hosted; a separately delegated subdomain may have its own nameservers.

Stop it recurring

Add the record and let it propagate before sharing the URL, and keep registration auto-renew on to avoid the whole domain blinking out.

Related errors

DNS_PROBE_FINISHED_NXDOMAIN

critical

NXDOMAIN means the domain name couldn’t be resolved to an IP — the browser literally can’t find your server.

SERVFAIL DNS Response Code

high

The resolver tried to answer but couldn't get a valid response, usually from broken authoritative DNS or DNSSEC.

DNS Server Not Responding

medium

Your OS can't reach the resolver it's configured to use, so no lookups complete at all.

ERR_NAME_NOT_RESOLVED

high

Chrome's resolver got no usable IP back for the hostname, so the request never left the device.